-
1. Re: WildFly session id not change when timeout?
rhusar Mar 5, 2014 9:30 AM (in response to minglei.lee)I noticed this a while ago too, looks like a bug to me too, the ID should not be recycled.
[rhusar@x220 script]$ curl http://localhost:8080/clusterbench/session --no-keepalive -b ck.txt -c ck.txt 0 [rhusar@x220 script]$ curl http://localhost:8080/clusterbench/session --no-keepalive -b ck.txt -c ck.txt 1 [rhusar@x220 script]$ curl http://localhost:8080/clusterbench/session --no-keepalive -b ck.txt -c ck.txt 2 [rhusar@x220 script]$ curl http://localhost:8080/clusterbench/session --no-keepalive -b ck.txt -c ck.txt 3 [rhusar@x220 script]$ curl http://localhost:8080/clusterbench/session --no-keepalive -b ck.txt -c ck.txt 4 [rhusar@x220 script]$ curl http://localhost:8080/clusterbench/session --no-keepalive -b ck.txt -c ck.txt 5 [rhusar@x220 script]$ cat ck.txt # Netscape HTTP Cookie File # http://curl.haxx.se/docs/http-cookies.html # This file was generated by libcurl! Edit at your own risk. localhost FALSE /clusterbench FALSE 0 JSESSIONID byQZoVgzKHYrH2qSD-sH25A_.x [rhusar@x220 script]$ sleep 60; curl http://localhost:8080/clusterbench/session --no-keepalive -b ck.txt -c ck.txt 0 [rhusar@x220 script]$ cat ck.txt # Netscape HTTP Cookie File # http://curl.haxx.se/docs/http-cookies.html # This file was generated by libcurl! Edit at your own risk. localhost FALSE /clusterbench FALSE 0 JSESSIONID byQZoVgzKHYrH2qSD-sH25A_.x [rhusar@x220 script]$ 5~^Ceep 60; curl http://localhost:8080/clusterbench/session --no-keepalive -b ck.txt -c ck.txt [rhusar@x220 script]$ curl http://localhost:8080/clusterbench/session --no-keepalive -b ck.txt -c ck.txt 1[rhusar@x220 script]$ at ck.txt # Netscape HTTP Cookie File # http://curl.haxx.se/docs/http-cookies.html # This file was generated by libcurl! Edit at your own risk. localhost FALSE /clusterbench FALSE 0 JSESSIONID byQZoVgzKHYrH2qSD-sH25A_.x
-
2. Re: WildFly session id not change when timeout?
pferraro Mar 5, 2014 10:15 AM (in response to minglei.lee)I realize that this behavior is different than it was in AS7, but I'm not sure I'd call it a bug. I don't see anything in the servlet spec that states that the session identifier of the new session cannot be the same as the previously invalidated one, so long as the attributes get cleared and its meta data reset, i.e. HttpSession.isNew() should return true.
Ideally though, we ought to use a new session identifier, otherwise this might cause issues for distributable web applications that use ASYNC replication.
Is there a jira for this?
-
3. Re: WildFly session id not change when timeout?
rhusar Mar 5, 2014 11:55 AM (in response to pferraro)Is there a jira for this?
WildFly session id not change when timeout?I didn't create one yet.
i.e. HttpSession.isNew() should return true.
It does -- so all that is fine.
Ideally though, we ought to use a new session identifier, otherwise this might cause issues for distributable web applications that use ASYNC replication.
+1